Blogger: Eric Maiwald
Intel sponsored a study (released on April 22, 2009) by the Ponemon Institute on the cost of lost laptops. The sample size for the study was not large (138 cases) so the value of any statistical conclusions is questionable right from the start.
The initial analysis and conclusion is startling – the average cost of a lost laptop is $49,246 when you factor in all of the costs (including not only hardware replacement but investigations, data breach, intellectual property loss, and local costs). But if you dig into the information provided in the report and in Appendix 1, there is more to the story. So…to steal a line from Paul Harvey, let’s look at the rest of the story.
While the average cost may be over $49,000, bar chart 1 shows the quartile cost results. The averages of the first three quartile costs are all below $4,000 and it is only the average of the fourth quartile that skyrockets to over $186,000. Table 1 shows a break out of the average total cost in terms of the components that were used to calculate the overall cost of the loss of a laptop. It clearly shows that the largest cost factor (over $39,000 of the total $49,000 cost) is data breach cost which is calculated (not measured) based on a $202 per disclosed record average cost identified in an earlier Ponemon study. Intellectual property cost is a distant second at just about $6,000.
Now, let’s go look at the table in Appendix 1. Three lines (with three big numbers and huge variations) jump out at me. First is the line regarding data breach cost – minimum $0, maximum $973,400. That is a huge swing over 138 cases. The second line is the line regarding intellectual property loss – again the minimum is $0 but the maximum is huge $250,000,000 (that’s $250 Million!) - an even bigger swing over 138 cases. The last line is near the bottom, Other legal or regulatory costs (expected) – minimum $0 and maximum $36,000. So what does this tell us? It looks an awful lot like there were a small number (maybe one or two) of cases where data was breached and/or intellectual property was lost. But for most cases no data was breached and no intellectual property was lost. I think this conclusion is borne out by bar chart 4 which shows the average intellectual property loss by industry, Three industries (totaling 23% of the total cases) had much higher intellectual property loss averages than the other industries.
So what can we conclude looking at this study? I don’t think you can conclude anything. I guess my biggest complaint is that Ponemon shows averages but not the distribution of the samples. We can see the minimum and the maximum sample for various cost categories but that does not tell us much. By looking at the average in comparison with the minimum and maximum, I think we can draw the conclusion that most of the samples were closer to the minimum than the maximum but that is about it. We can also conclude that the median would fall between the 2nd and 3rd quartile averages (probably around $3,000) which is less than 10% of the reported average. Readers should not go hanging their hats on this study as justification for any type of decision.